Thank you @pichlo for summing this up in such an excellent way!

You are correct that the 1st kind of authentication method is the most secure in theory, but fingerprint is unfortunately one of the least secure ways to do it; the simple fact is that we are all the time leaving the damn things around for anybody to take!

I'd say something like an iris scan would be acceptable (or even better, a retinal scan since iris patterns can be copied off hi-resolution photos) provided the sensor could make a difffernce between a real living eye and a picture on an eye.
Or maybe an eeg-scan; provided that brain patterns of people are different enough?
Anything based on stuff we leave lying around like fingermarks or DNA is useless IMHO.

The 2nd kind of authentication is a fairly good compromise, but it has this problem of being the kind that can be lost, damaged, stolen, given away,... etc.

As for passphrases/PIN's; those are actually fairly secure since they are stored in the mind only. Losing those accidentally is much more difficult, provided of course people are not so stupid as writing 'em down on pieces of paper...

All in all, the best thing of course is to have access granted on a combination of two or more types of authentication; hence nowdays the trend of having 2-factor auth in many online systems. If done correctly it is mostly usable and secure enough.

And for the grand finale, a small tale on how this can easily go wrong.

Once upon a time there was a company that implemented remote connection security by a system where there were RSA tokens that generate a OTP code that one needed to salt with a PIN to get the access verification code.
This is fairly secure since the code was generated in a sealed box containing the algorithms and the pin was memorized in users mind; you needed both something-you-have and something-you-know

However this scheme has drawbacks; the token fobs cost money, the battery needs to be replaces every few years and there needs to be a whole support infrastructure and logistics for it.
Now the clever guys in some pennypinching department decided that it is important to save money, and they changed the system so that you need a software RSA token generator which can be run in a windoze PC or mobile phone, and that combined with the PIN provides the access code.

Now what's wrong with this thing? A plenty whole lotta!
What they had done is replace something-you-have & something-you-know with something-you-know & something-you-know!

A software solution is definitely not something-you-have. It can be copied to another system, given away, stolen without one ever knowing, etc...
Even though the RSA software is using a supposedly-unique-identifier of a windoze system-ID or cellphone IMEI, it's no protection since any child can write a wrapper/emulator around it to feed the application the data it expects...